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Executive Summary 


This report is a technical analysis of the source code of TikTok mobile applications Android 
25.1.3 as well as IOS 25.1.1. Analysis of the Android application was performed using a Galaxy 
S9 cell phone. Internet 2.0 conducted static and dynamic analysis of the source code between 
01-12 July 2022. This report aims to analyse TikTok device and user (customer) data collection. 
Prepared by Internet 2.0, this report is for policy makers and legislators to make evidence- 
based decisions. TikTok is a dominant social media application and is the 6 most used 
application globally with forecasted advertising revenues in 2022 expected to be USD12 billion. 
In our analysis the TikTok mobile application does not prioritise privacy. Permissions and 
device information collection are overly intrusive and not necessary for the application to 
function. The following are examples of excessive data harvesting. 


e Device Mapping. The application retrieves all other running applications on the phone. 
TikTok also gathers all applications that are installed on the phone. In theory this 
information can provide a realistic diagram of your phone. 

e Location. TikTok checks the device location at least once per hour. 

e Calendar. TikTok has persistent access to the calendar. 

e Contacts. TikTok has access to contacts and if the user denies access, it continuously 
requests for access until the user gives access. 

e Device information. TikTok has code that collects the following device detailed 
information on Android. 

o Wi-Fi SSID 

o Device build serial number 

o SIM serial number 

o Integrated Circuit Card Identification Number (this is global unique serial 
number that is specifically tailored to your SIM card) 

Device IME] 

Device MAC address 

o Device line number 


Oo oO 
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Device voicemail number 

GPS status information (updates on the GPS location) 

Active subscription information 

All accounts on the device 

Complete access to read the clipboard (dangerous as password managers use 
clipboards) 


oOo 0 0 


Also of note is that TikTok IOS 25.1.1 has a server connection to mainland China which is run by 
atop 100 Chinese cyber security and data company Guizhou Baishan Cloud Technology Co., Ltd. 


Introduction 

TikTok is currently one of the dominant social media application in the market. It is the 6 most 
used application. As at September 2021 TikTok has over 1 billion active users globally with 
142.2 million users in North America.! It has been downloaded over 3.5 billion times as of 
January 2021, with 43.7% of users 18-24 years old and 31.9% 25 to 34 years old. TikTok’s 
projected advertising annual revenue in 2022 will hit USD12 billion, up from USD1.41 billion in 
2020.2 


TikTok Net Ad Revenues Worldwide, 2019-2024 


billions 
$23.58 
$18.04 
$11.64 
$3.88 
$1.41 
$0.34 
2019 2020 2021 2022 2023 2024 


Note: includes advertising that appears on desktop and laptop computers as well as mobile 
phones, tablets, and other internet-connected devices, and includes all the various formats 
of advertising on those platforms; net ad revenues after company pays traffic acquisition 
costs (TAC) and content acquisition costs (CAC) to partner sites 

Source: eMarketer, March 2022 


Figure 1. Projected TikTok advertising revenue (see footnote 2) 


1 https://www.shopify.com/blog/tiktok-statistics 
* https://www.insiderintelligence.com/content/tiktok-douyin-digital-ad-spend 
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Internet 2.0 conducted static and dynamic analysis of the TikTok mobile application Android 
25.1.3 as well as static analysis of the TikTok mobile application IOS 25.1.1 to understand user 
and device data collection.? The analysis also seeks to confirm the existence of any malicious 
code or features of the application. We decompiled the source code of the application available 
on the app stores and analysed it through multiple systems (including multiple sandbox 
services) and manual source code reviews. This is divided into the following sections: user 
permissions and third-party data access; device and user data harvesting; and conclusion. 


User Permissions and Third-Party Data Access 


There are certain permissions that the Android documentation considers to be “dangerous”. 
They are considered dangerous due to the permission providing additional access to restricted 
data. For example, the ability to read all SMS messages could be considered dangerous because 
an application could send all your texts to a server and save the information for future use (such 
as a malware). Unfortunately, TikTok makes use of a lot of these dangerous permissions. We 
noted the Android version had many more than the IOS version. IOS has a justification system 
where to gain a permission the developer must justify why this permission is required before it 
is granted. We believe the justification system IOS implements systematically limits a culture of 


“grab what you can” in data harvesting. The fact that TikTok had far more permissions for 
Android over IOS is a good demonstration of their culture when it comes to privacy. 


android.permission.WRITE_EXTERNAL_STORAGE (EEE —ead/modify/delete external. ~—_Allows an application to write to external storage. 
storage contents 
android.permission.ACCESS_COARSE_LOCATION { dangerous | coarse (network-based) Access coarse location sources, such as the mobile network database, to determine an approximate 
location phone location, where available. Malicious applications can use this to determine approximately 

where you are. 

android.permission.AUTHENTICATE_ACCOUNTS, CQ acts an account Allows an application to use the account authenticator capabilities of the Account Manager, 

authenticator including creating accounts as well as obtaining and setting their passwords. 

android.permission.CAMERA (EEE take pictures and videos Allows application to take pictures and videos with the camera. This allows the application to collect 
images that the camera is seeing at any time. 

android.permission.GET_TASKS [ dangerous | retrieve running applications Allows application to retrieve information about currently and recently running tasks. May allow 
malicious applications to discover private information about other applications. 

android.permission.READ_CALENDAR [ dangerous | read calendar events Allows an application to read all of the calendar events stored on your phone. Malicious applications 
can use this to send your calendar events to other people. 

android.permission.READ_CONTACTS CE Sead contact data Allows an application to read all of the contact (address) data stored on your phone. Malicious 
applications can use this to send your data to other people. 

android.permission.READ_EXTERNAL_STORAGE CEPEZ5_~—seadexternal storage contents _Allows an application to read from external storage. 

android.permission.RECORD_AUDIO CEE Secord audio Allows application to access the audio record path. 

android.permission.SYSTEM_ALERT_WINDOW CEE display system-level alerts Allows an application to show system-alert windows. Malicious applications can take over the entire 
screen of the phone. 

android.permission.WRITE_CALENDAR C= add or modify calendar events Allows an application to add or change the events on your calendar, which may send emails to 


and send emails to guests 


guests. Malicious applications can use this to erase or modify your calendar events or to send emails 


Figure 2a. TikTok Android access permissions rated as dafigerous. 


3 This analysis provides impartial advice for users to evaluate the extent to which their data is collected for 
privacy reasons. It allows policy advisors and legislators to make evidence-based decisions when discussing 


privacy concerns with vendors. This report was written for a global audience and does not include any legal or 
jurisdiction based regional assessments. 
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PERMISSIONS * STATUS INFO REASON IN MANIFEST 

NSAppleMusicUsageDescription Access Apple Media Library. To select sound from your library, allow us to access your Apple Music. 

NSCalendarsUsageDescription Access Calendars. Add events to your device calendar to get reminders when events start. 

NSCameraUsageDescription CEE Access the Camera. You'll be able to record video. 

NSContactsUsageDescription Access Contacts. Sync your contacts to easily find people you know on TikTok. Your contacts will only be used to help you connect with 

friends. 

NSLocationWhenInUseUsageDescription Access location information when app is in the If location services are enabled, TikTok will collect, store and use your device's approximate location to improve your 
foreground. experience. 

NSMicrophoneUsageDescription Access microphone. To record audio, allow us to access your Microphone. 

NSPhotoLibraryUsageDescription CES = Access the user’s photo library. To upload from or download to your device, allow access to your photos in your phone settings. 


Figure 2b. TikTok IOS access permissions rated as dangerous. 


Device mapping 


The Android application collects all other running and installed applications on the phone (this 
is an unnecessary function), see figure 3. Theoretically, this information can provide a realistic 
diagram of your phone. 


LIZIZ.append(100909, 
LIZIZ.append(10091@, 
LIZIZ. append (190911, 
LIZIZ.append(190912, 
LIZIZ.append(191900, 
LIZIZ.append(161001, 
LIZIZ. append (101100, 
LIZIZ. append (101200, 
LIZIZ.append(191306, 
LIZIZ.append(191301, 
LIZIZ.append( 191302, 
LIZIZ. append (101304, 
LIZIZ. append (161305, 
LIZIZ. append (101306, 
LIZIZ.append(191307, 
LIZIZ.append(191308, 
LIZIZ.append(191309, 
LIZIZ.append(191316, 
LIZIZ.append(101311, 
LIZIZ. append (101406, 
LIZIZ.append(191506, 
LIZIZ. append(10169@, 
LIZIZ.append(101601, 
LIZIZ. append(191602, 
LIZIZ. append (101700, 
LIZIZ.append(101701, 
LIZIZ.append(191800, 
LIZIZ.append(191861, 
LIZIZ.append( 101802, 
LIZIZ.append(101803, 
LIZIZ.append(191804, 
L1ZIZ.append(101805, 
LIZIZ. append (101806, 
LIZIZ.append(191807, 
LIZIZ.append( 101808, 
LIZIZ. append (101809, 
LIZIZ.append(101900, 
LIZIZ.append(102600, 
LIZIZ.append(102001, 


a(100909, 
a(109919, 
a(100911, 
a(190912, 
a(101000, 
a(191001, 
a(101100, 
a(101200, 
a(101360, 
a(101301, 
a(101302, 
(101304, 
a(101305, 
a(101306, 
a(101307, 
a(101308, 
a(101309, 
a(101310, 
a(101311, 
a(101490, 
a(101500, 
(101600, 
(101601, 
(101602, 
a(101760, 
a(101701, 
a(101800, 
a(101801, 
a(101802, 
a(101803, 
a(101804, 
a(101805, 
a(101806, 
(101807, 
a(101808, 
(101803, 
(161906, 
(162000, 
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“android.telephony.TelephonyManager", "getAllCellInfo", "", "™ 
“android. telephony.TelephonyManager", "requestCellInfoUpdate", "" 
"android.telephony.PhoneStateListener", "onCellLocat ionChanged" 


> new String[]{"android. permission. ACCESS_FINE_LOCATION"}, 0, C17260jk.LIZ("location"))); 

", "™, new String[]{"android.permission.ACCESS FINE LOCATION}, 0, C17260jk.LIZ("Location"))); 
>", new String[]{"android.permission.ACCESS_FINE_LOCATION"}, 0, C17260jk.LIZ("Location"))); 
“android.telephony.PhoneStateListener", "onCellInfoChanged", "", "", "", new String “android.permission.ACCESS_FINE_LOCATION"}, ©, C1726@jk.LIZ("location"))); 
“android.net.wifi.WifiInfo", "getSSID", "", "", "", new String[@], 9, C278311x.LIZIZ("location", "wifi", "device_info"))); 
"android.net.wifi.WifiManager", "getConfiguredNetworks", "", "", new String[] {"android.permission.ACCESS_FINE_LOCATION", "android.permission.ACCESS_WIFI_STATE"}, ©, C278311x.LIZIZ("Location", "wifi"))) 
"android.net.wifi.WifiInfo", "getBSSIO", "", "", "", new String[@], ©, C278311x.LIZIZ("location", "wifi", "device_info"))); 
"android.os.Build", "getSerial" new String[]{"android.permission.READ_PHONE_STATE"}, 0, C17260jk.LIZ("device_info"))); 
"android.app.ActivityManager", on new String[9], 6, C17260jk.LIZ("application"))); 
"android.app.ActivityManager", new String[0], 0, C17260jk.LIZ("application"))); 
"android.app.ActivityManager", ", new String[@], ©, C17260jk.LIZ("application"))) 5 
"android.content.pm.PackageManager", nnn, ", new String[0], 6, C17260jk.LIZ("application"))); 
"android. content. pm.PackageManager", mm, ™, ", new String[o], @, C17260jk.LIZ("application"))); 
"android.view.accessibility.AccessibilityManager", "getInstalledAccessibilityServiceList", "", "", "", new String[6], 0, C17260jk.LIZ("application"))); 
"android.view.accessibility.AccessibilityManager", "getEnabledAccessibilityServiceList", "", "", "", new String[@], 0, C277311n.INSTANCE)); 
"android.content.pm.PackageManager", "getInstalledPackagesAsUser" ms", new String[0], 0, C17266jk.LIZ("application”))); 
"android.content.pm.PackageManager", "getInstalledPackage: » new String[@], 0, C17260jk.LI: jpplication"))); 
"android.content.pm.PackageManager", "getPackagesForUid", » new String[@], 9, C17260jk.LIZ("application"))); 
"android.content.pm.PackageManager”, "queryIntentActivities", "", "", "", new String[@], @, C17260jk.LIZ("application”)))5 
"android.telephony.TelephonyManager", "getSimSerialNumber", "", "", "", new String[]{"android.permission.READ_PHONE_STATE"}, ©, C278311x.LIZIZ("network", "device_info"))); 
"android.telephony.Subscriptioninfo", "getIccId", "", "", "", new String[]{"android.permission.READ_ PHONE STATE"}, @, C278311x.LIZIZ("network", "device_info"))); 
"android.telephony.TelephonyManager", "getDeviceId", "", "", "", new String[]{"android, permission.READ_PHONE_STATE"}, @, C278311x.LIZIZ("network", "device_info"))); 
“android.telephony.TelephonyManager", "getImei", "", "", "", new String[]{"android.permission.READ_PHONE_STATE"}, @, C278311x.LIZIZ("network", "device_info"))); 
“android.telephony.TelephonyManager", "getNeid", "", "™, ™, new String[]{"android.permission.READ PHONE STATE"}, 0, C278311x.LIZIZ("network", "device_info"))); 
"android.net.wifi.WifiInfo", "getMacAddress", ", "", ", new String[9], @, C278311x.LIZIZ("location", "wifi", "device_info"))); 
"java.net.NetworkInterface", "getHardwareAddress", "", "", ", new String[0], 0, C17260jk.LIZ("device_info"))); 
"android.content.ClipboardManager", "clearPrimaryClip", "", "", "", new String[@], @, C17260jk.LIZ("clipboard"))); 
"android.content.ClipboardManager", “addPrimaryClipChangedListener", " , ", new String[@], 0, C17260jk.L1Z("clipboard"))); 
"android.content.ClipboardManager", "removePrimaryClipChangedListener", mm, "", new String[@], 6, C17260jk.LIZ("clipboard") 
"android.content.ClipboardManager", "getPrimaryClip", "", "", "", new String[@], ©, C17260jk.LIZ("clipboard"))); 
"android.content.ClipboardManager", "getText", "", ", String[0], 0, C17260jk.LIZ("clipboard"))); 
"android.content.ClipboardManager", "hasPrimaryClip", "", ™, new String[@], 0, C17260}k.L1Z("clipboard"))) ; 
"android.content.ClipboardManager", "hasText", m, "™, new String[O], 0, C17268jk.LIZ("clipboard"))); 
"android.content.ClipboardManager", "setPrimaryClip", "", "", "", new String[@], 0, C17260jk.LIZ("clipboard"))) 5 
"android.content.ClipboardManager", "setText", so", new String[ @, C17260jk.LIZ("clipboard"))); 
"android.content.ClipboardManager", "getPrimaryClipDescription", "", "", "", new String[@], @, C17260jk.LIZ("clipboard"))); 
“android.telephony.TelephonyManager", "getSubscriberId", ww, ™, new String[] {"endroid. permission. READ_PHONE_STATE"}, 0, C278311x.LIZIZ("network", "device_info"))); 
"android.telephony.TelephonyManager", "getLinelNumber", "", ", "", new String[]{"android.permission.READ_PHONE_STATE", "android.permission.READ_PHONE_NUMBERS", "android.permission.READ_SMS"}, 1, C278311x. 
android.telephony.TelephonyManager", "getVoiceMailNumber", "", "", "", new String[]{"android.permission.READ PHONE_STATE"}, ©, C278311x.LIZIZ("network", "device info"))); 


, 
, 


Figure 3: Get all applications and running tasks on the device (green highlight). 
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GPS and Locations requests 


The Android application queries the device GPS location at least once per hour while running. 
This command is seen in figures 4 and 5. 


Figure 4: Get location code. 


Source: com.bytedance.bdlocation.BDLocation;-><init>:6 API Call: android.location.Location.getLatitude 

Source: com.bytedance.bdlocation.BDLocation;-><init>:7 API Call: android.location.Location.getLongitude 

Source: com.bytedance.bdlocation.BDLocation;-><init>:34 API Call: com.bytedance.bdlocation.BDLocation.getLatitude 
Source: com.bytedance. bdlocation.BDLocation;-><init>:36 API Call: com.bytedance_bdlocation.BDLocation.getLongitude 
Source: com.bytedance.bdlocation.BDLocation;->LIZ:70 API Call: android.location.Location.getLatitude 

Source: com.bytedance.bdlocation.BDLocation;->LIZ:72 API Call: android.location.Location.getLongitude 


Figure 5: TikTok get longitude and latitude data requests. 


Contacts 


The Android application requests access to user contacts. If the user denies access the 
application will continuously ask for access. TikTok does this as it runs its code in a loop that ifa 
Boolean (true or false) is stored as false, it will keep prompting until given a true value (see 
figure 6). It is normal for an application to initially request access to contacts but TikTok’s 
persistent, endless harassment for user contacts access is abnormal. It reflects a culture that 
does not prioritize privacy or a user’s preferences for privacy. 
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Deny & don’t ask again 


Sync your contacts to easily find 
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a OK 
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Allow 


Deny 
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Sync your contacts to easily find 
people you know on TikTok. Your 
contacts will only be used to help 


you connect with friends. 


OK 


Figure 7: TikTok Contacts access request prompts while in application. 
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Calendar 


The Android application has persistent access to read and modify calendar, see figure 8. TikTok 
only uses the calendar for special circumstances, for example when there is a TikTok LIVE 
event, based on our analysis. The persistency of access to the calendar is excessive in our 
opinion. 


Figure 8: Persistent calendar access. 


External storage 


TikTok Android application requests access to external storage. This is a standard command for 
a social media application to store video and images. The aspect we list as excessive is TikTok 
doesn’t just retrieve the ability to see folders it retrieves a list of everything available in the 
external storage folder where the application has the access to place files, see figure 9. 


public static File LIZ(Context context, String str) 
if (!TextUtils.isEmpty(str 
return context. getExternaLlFilesDir(str) ; 


if (C11550aX.LIZLLL != null && C11550aX.LI 
return C11550aX.LIZLLL}; 


File externalFilesDir = context. getExternalFilesDir(str) ; 
C€11550aX.LIZLLL = externalFilesDir; 
return externalFilesDir; 


Figure 9: List everything in external storage. 
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Device and user data harvesting 


Device Data 


TikTok also has potential to harvest an excessive amount of data about the device, it is 
important to note that due to limitations with dynamic analysis it is not currently possible to 
determine if any of this data is ever taken from the device, however, the Android application has 
code that can gather the following additional device details. See figures 10-12 


Wi-Fi SSID 

Device build serial number 

SIM serial number 

Integrated Circuit Card Identification Number (this is global unique serial number that is 
specifically tailored to your SIM card) 

Device IME] 

Device MAC address 

Device line number 

Device voicemail number 

GPS status information (updates on the GPS location) 

Active subscription information 

All accounts on the device 

Complete access to read the clipboard (dangerous as password managers use 
clipboards) 
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public final class CON7 { 
public static SparseArray<a> LIZIZ; 
public static final CON7 LIZLLL; 
public static HashMap<String, Integer> LIZ = new HashMap<>(); 
public static 
public static AtomicBoolean LJ = new AtomicBoolean(false) ; 
static { 
Covode. recordClassIndex (25449) ; 
CON7 rll = new CON7(); 
LIZLLL = rll; 
LIZIZ = new SparseArray<> (0); 
SparseArray<a> sparseArray = new SparseArray<>(108); 
LIZIZ = sparseArray; 


sparseArray. append (ImagePreloadExperiment.PRIORITY_DEFAULT, new a((int) ImagePreloadExperiment.PRIORITY_DEFAULT, “android. location.LocationManager", "getLastKnownLocation", "", 
“android. location.LocationManager", "requestLocationUpdates", "", "", 


LIZIZ.append(100001, new a(100001, 

LIZIZ.append(100002, new a(100002, "“android.location.LocationManager", "requestSingleUpdate", "", 
LIZIZ.append(100003, new a(100003, 

LIZIZ.append(100004, new a(100004, "android.location.LocationManager", "getCurrentLocation", "", 
LIZIZ.append(160005, new a(100005, "android. location.LocationManager", "addGpsStatusListener", "", 
LIZIZ.append(1@0006, new a(100006, "android. location.LocationManager", "addNmeaListener", "", 


LIZIZ. append (BuildConfig.VERSION_CODE, new a((int) BuildConfig.VERSION_CODE, “android.location.LocationManager", “addProximityAlert", "", 


“android.webkit.WebChromeClient", "onGeolocationPermissionsShowPrompt", "", 


internet20” 


List<a> LIZJ = C278311x.LIZIZ(new a(200000, "android. location.LocationManager", "getLastKnownLocation", "LocationManager_getLastKnownLocation", C68462k8.LIZ, C68462k8.LIZLLL, (String[]) null, C17260jk.LIZ("location"), 448), new a( 


wml owe 
* 


> new String[]{"android.permission.ACCESS_FINE_LOCATION", 
» New String[]{"android.permission.ACCESS_FINE_LOCATION", "android.permission.ACCESS_COARSE_LOCATION"}, 1, C1726@jk.LIZ("Location"))) 
» new String[]{"android.permission.ACCESS_FINE_LOCATION", “android.permission.ACCESS_COARSE_LOCATION"}, 1, C17260jk.LIZ("lLocation"))); 
umsoum, new String[0], ©, C17260jk.LIZ("location"))); 

u", new String[] {"android.permission.ACCESS_FINE_LOCATION", "android. permission.ACCESS_COARSE_LOCATION"}, 1, C1726@jk.LIZ("location"))); 
omy, new String[]{"android.permission.ACCESS_FINE_LOCATION"}, 9, C17260jk.LIZ("location") )); 

» new String[]{"android.permission.ACCESS_FINE_LOCATION"}, @, C17260jk.LIZ("location") )) 5 

omy, new String[0], ©, C17260jk.LIZ("Location"))); 


me 


uno 
> 

om 
> 


LIZIZ.append(100008, new a(100008, "android. location.LocationManager", "registerAntennaInfoListener", neyo", new String[] {"android.permission.ACCESS_FINE_LOCATION"}, ©, C17260jk.LIZ("location"))); 
LIZIZ.append(190009, new a(100009, "android. location.LocationManager", "registerGnssMeasurementsCallback", " wy u's new String[]{"android.permission.ACCESS_FINE_LOCATION"}, 9, C17260jk.LIZ("location"))); 
LIZIZ.append(160016, new a(100010, "android. location.LocationManager", "registerGnssNavigationMessageCallback", "", "", "", new String[]{"android.permission.ACCESS_FINE_LOCATION"}, ©, C17260jk.LIZ("location"))) 5; 
LIZIZ.append(1@0011, new a(100011, "android. location.LocationManager", "registerGnssStatusCallback", "", "", "", new String[]{"android.permission.ACCESS_FINE_LOCATION"}, ©, C17260jk.LIZ("location"))); 
LIZIZ.append(160012, new a(100012, "android.webkit.GeolocationPermissions$Callback", "invoke", "", "", "", new String[Q], ©, C1726@jk.LIZ("Location"))); 
LIZIZ.append(160100, new a(100100, "“android.hardware.Camera”, "open", "", " » New String[]{"android.permission.CAMERA"}, ©, C17260jk.LIZ("video"))); 
LIZIZ.append(160101, new a(100101, "android.hardware.Camera", "release", » "", new String[] {"android.permission.CAMERA"}, ©, C17260jk.LIZ("video"))); 
LIZIZ.append(160106, new a(100106, "android.hardware.Camera", "release", "", "", "", new String[]{"android.permission.CAMERA"}, ©, C17260jk.LIZ("video"))); 
LIZIZ.append(16020@, new a(100200, "android.hardware.camera2.CameraDevice$StateCallback", "onOpened", > "", new String[]{"android.permission.CAMERA"}, 0, C17260jk.LIZ("video")))5 
LIZIZ.append(160201, new a(100201, "android.hardware.camera2.CameraDevice", "close", "", "", "", new String[]{"android.permission.CAMERA"}, ©, C17260jk.LIZ("video"))); 
LIZIZ.append(160205, new a(100205, "android.hardware.camera2.CameraDevice", "close", "", "", "", new String[]{"android.permission.CAMERA"}, ©, C17260jk.LIZ("video"))); 
LIZIZ.append(16040@, new a(100400, "android.media.AudioRecord", "startRecording", "", "", "", new String[]{"android.permission.RECORD_AUDIO"}, @, C17260jk.LIZ("audio"))); 
LIZIZ.append(160401, new a(100401, "android.media.AudioRecord", "stop", uu, new String[]{"android.permission.RECORD_AUDIO"}, 9, C17260jk.LIZ("audio"))); 
LIZIZ.append(160403, new a(100403, "android.media.AudioRecord", "releas ", "", new String[]{"android.permission.RECORD_AUDIO"}, ©, C17260jk.LIZ("audio")))5; 
LIZIZ.append(160404, new a(100404, "android.media.AudioRecord", "stop", uu, new String[]{"android.permission.RECORD_AUDIO"}, @, C17260jk.LIZ("“audio"))); 
LIZIZ.append(160405, new a(100405, "android.media.AudioRecord", "release", "", "", "", new String[]{"android.permission.RECORD_AUDIO"}, ©, C17260jk.LIZ("audio"))); 
LIZIZ.append(100500, new a(100500, "android.media.MediaRecorder", "prepare", "", "", "", new String[]{"android.permission.RECORD_AUDIO"}, @, C278311x.LIZIZ("audio", “video"))); 
LIZIZ.append(100501, new a(100501, "android.media.MediaRecorder", "release", "", "", "", new String[]{"android.permission.RECORD_AUDIO"}, 9, C278311x.LIZIZ("audio", "video"))); 
LIZIZ.append(100502, new a(100502, "android.media.MediaRecorder", "start", "", "" » new String[]{"android.permission.RECORD_AUDIO"}, ©, C278311x.LIZIZ("audio", "video"))); 
LIZIZ.append(160503, new a(100503, "android.media.MediaRecorder", "stop", "", "", "", new String[]{"android.permission.RECORD_AUDIO"}, ©, C278311x.LIZIZ("audio", "video"))); 
LIZIZ.append(100702, new a(100702, "android.hardware.SensorManager", "getSensorList", "", "" new String[@], 9, C17260jk.LIZ("motion"))) 5; 
new aa! String[@], ©, C17260jk.LIZ("motion"))); 
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Figure 10: TikTok Data harvest image. 
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“"getBaseStationLatitude", "", » new String[]{"android.permission.ACCESS_FINE_LOCATION"}, 9, C17260jk.LIZ("location"))) 5 
“getBaseStationLongitude", "", "", "", new String[]{"android.permission.ACCESS_FINE_LOCATION"}, 6, C17260jk.LIZ("location"))); 
"getSystemId", "". "", "", new String[01,. ©, C17260ik.LIZ("Location"))); 


ocation")))3; 
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“android. telephony. SubscriptionManager", un 


“android.telephony.SubscriptionManager", 
“android.telephony.SubscriptionManager", 
"android.telephony.SubscriptionManager", 
“android.telecom.TeLecomManager", "getLinelNumber", "", 


“"getActiveSubscriptionInfoList", "", "", 
“getOpportunisticSubscriptions", "", "", 
"getSubscriptionsInGroup", "", "", 
"isActiveSubscriptionId", "", 

mm, new String[]{ 


» new String[]{"android.permission.READ_PHONE_STATE"}, @, C278311x.LIZIZ("network", "device_info"))); 

» new String[]{"android.permission.READ_PHONE_STATE"}, @, C278311x.LIZIZ("network", "device_info"))); 

» new String[]{"android.permission.READ_PHONE_STATE"}, @, C278311x.LIZIZ("network", "device_info"))); 

» new String[]{"android.permission.READ_PHONE_STATE"}, 9, C17260jk.LIZ("network"))); 

indroid.permission.READ_PHONE_STATE", "android.permission.READ_PHONE_NUMBERS"}, 1, C278311x.LIZIZ("network", "device_info"))); 


r 


won 
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wn 
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“createScreenCaptureIntent", "", Fi 
uum 


“android.media.projection.MediaProjectionManager", 
“android.media.projection.MediaProjectionManager", "getMediaProjection", "", 
“android.media.projection.MediaProjection", "stop", "", "", "" 
“android.net.wifi.WifiManager", "getScanResults", "", 
“android.net.wifi.WwifiManager", "getConnectionInfo", "" 
“android.net.wifi.WifiManager", "startScan", "", "", 
“android.accounts.AccountManager", "getAccounts", "", "", ™ 


» new String[6], 0, C17260jk.LIZ("screen_record"))); 
» New String[0], ©, C17260jk.LIZ("screen_record"))); 

» new String[0], ©, C17260jk.LIZ("screen_record"))); 

» New String[]{"android.permission.ACCESS_FINE_LOCATION", "“android.permission.ACCESS_WIFI_STATE"}, 9, C278311x.LIZIZ("wifi", "location"))); 
uu, new String[0], ©, C278311x.LIZIZ("wifi", "location"))); 

new String[]{"android.permission.CHANGE_WIFI_STATE"}, ©, C17260jk.LIZ("wifi"))); 

new String[]{"android.permission.GET_ACCOUNTS"}, ©, C17260jk.LIZ("account") )); 

“android.accounts.AccountManager", "getAccountsByType”", "", "", "", new String[]{"android.permission.GET_ACCOUNTS"}, @, C17260jk.LIZ("account"))) 3; 

“android.accounts.AccountManager", "getAccountsByTypeAndFeatures", "", "", "", new String[]{"android.permission.GET_ACCOUNTS"}, @, C17260jk.LIZ("account"))); 

“android.app.Activity", "requestPermissions", "", "", new String[@], @, C277311n. INSTANCE) ) ; 

“android.app.Fragment", "requestPermissions", "", "", " new String[@], 9, C277311n. INSTANCE) ) ; 

“android.webkit.WebChromeClient", "onPermissionRequest" >", "", new String[0], 9, C277311n. INSTANCE) ); 

"android.webkit.PermissionRequest", "grant", "" ", new String[0], ©, C277311n. INSTANCE) ); 

“android.webkit.PermissionRequest", "deny", "", "", "", new String[0], ©, C277311n.INSTANCE)); 

"java.lang.reflect.Method", "invoke", "", u", new String[0], 9, C277311n. INSTANCE)); 

“android.content.ContentResolver", "query", » "", new String[0], ©, C278311x.LIZIZ("album", "calendar", "“contact"))); 

"android.content.ContentResolver", "applyBatch", ww, new String[0], ©, C278311x.LIZIZ("album", "calendar", "contact"))); 


Figure 11: TikTok Data harvest image. 
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LIZIZ.append(100904, new a(100904, "android.telephony.cdma.CdmaCellLocation", "getSystemId", "", um, new String[0], ©, C17260jk.LIZ("location"))); 
LIZIZ.append(100905, new a(100905, "android.telephony.cdma.CdmaCellLocation", "“getNetworkId", " >» "", new String[0], ©, C17260jk.LIZ("location"))); 
LIZIZ.append(100906, new a(100906, “android.telephony.gsm.GsmCellLocation", "getCid", "", "", "", new String[0], ©, C17260jk.LIZ(" 
LIZIZ.append(100907, new a(100907, "android.telephony.gsm.GsmCellLocation", "getLac", "", "", "", new String[0], 0, C17260jk.LIZ(" 
LIZIZ.append(1090908, new a(100908, "android.telephony.gsm.GsmCellLocation", "getPsc", " "", new String[Q], 0, C17260jk.LIZ("locatio 


LIZIZ.append(100911, new a(100911, "android.telephony.PhoneStateListener", "onCellLocationChanged", "", "", "", new String[]{"android.permission.ACCESS_FINE_LOCATION"}, 9, C17260jk.LIZ("location"))); 
LIZIZ.append(100912, new a(100912, "android.telephony.PhoneStateListener", "onCellInfoChanged", "", "", "", new String[]{"android.permission.ACCESS_FINE_LOCATION"}, ©, C17260jk.LIZ("Location"))); 
LIZIZ.append(101000, new a(101000, “android.net.wifi.WifiInfo", “getSSID", "", "", "", new String[@], @, C278311x.LIZIZ("location", "wifi", "device_info"))); 
LIZIZ.append(101001, new a(101001, "android.net.wifi.wifiManager", "getConfiguredNetworks", "", "", "", new String[]{"android.permission.ACCESS _FINE_LOCATION", "android.permission.ACCESS _WIFI_STATE"}, ©, C278311x.LIZIZ("location", "wifi"))) 
LIZIZ.append(101100, new a(101100, "android.net.wifi.WifiInfo", "getBSSID", "", "", "", new String[@], @, C278311x.LIZIZ("location", "wifi", "device_info"))); 
LIZIZ.append(101200, new a(101200, "android.os.Build", "getSerial", "", "", "", new String[]{"android.permission.READ_PHONE_STATE"}, @, C17260jk.LIZ("device_info"))); 
LIZIZ.append(101300, new a(101300, "“android.app.ActivityManager", "getRecentTasks", "", ", new String[0], ©, C17260jk.LIZ("application"))); 
LIZIZ.append(101301, new a(101301, "android.app.ActivityManager", "getRunningTasks", "", > "", new String[0], 9, C17260jk.LIZ("application"))); 
LIZIZ.append(101302, new a(101302, "android.app.ActivityManager", "getRunningServices", " ", "", new String[0], ©, C17260jk.LIZ("application")))3; 
LIZIZ.append(101304, new a(101304, “android.content.pm.PackageManager", “getInstalledApplications", moun ou, new String[@], 9, C17260jk.LIZ("application"))); 
LIZIZ.append(101305, new a(101305, "android.content.pm.PackageManager", "getInstalledApplicationsAsUser", "", "", "", new String[0], 0, C17260jk.LIZ("application"))); 
LIZIZ.append(101306, new a(101306, "android.view.accessibility.AccessibilityManager", "getInstalledAccessibilityServiceList", "", "", "", new String[@], ©, C17260jk.LIZ("application") )); 
LIZIZ.append(101307, new a(101307, "android.view.accessibility.AccessibilityManager", "getEnabledAccessibilityServiceList", "", "", "", new String[@], ©, C277311n. INSTANCE) ); 
LIZIZ.append(101308, new a(101308, “android.content.pm.PackageManager", “getInstalledPackagesAsUser", "", "", "", new String[0], 9, C17260jk.LIZ("application"))); 
LIZIZ.append(101309, new a(101309, "android.content.pm.PackageManager", "getInstalledPackages", "", "", "", new String[O], 6, C17260jk.LIZ("application"))); 
LIZIZ.append(10131@, new a(101310, "android.content.pm.PackageManager", "getPackagesForUid" et uu, new String[0], ©, C17260jk.LIZ("application"))); 
LIZIZ.append(101311, new a(101311 queryIntentActivities uu, new String[0], ©, C17260jk.LIZ("application"))); 
n 
LIZIZ.append(101500, new a(101500, "android.telephony.SubscriptionInfo", "getIccId", " >» "", new String[]{"android.permission.READ_PHONE_STATE"}, ©, C278311x.LIZIZ("network", "device_info"))); 


LIZIZ.append(10170@, new a(101700, "android.net.wifi.WifiInfo", "getMacAddress", "", "", "", new String[@], @, C278311x.LIZIZ("location", "wifi", "device_info"))); 
LIZIZ.append(101701, new a(101701, "java.net.NetworkInterface", "getHardwareAddress", "", "", "", new String[0], ©, C17260jk.LIZ("device_info"))); 
LIZIZ.append(101800, new a(101800, "android.content.ClipboardManager", "clearPrimaryClip", "", "", "", new String[0], ©, C17260jk.LIZ("clipboard") )); 
LIZIZ.append(101801, new a(101801, "android.content.ClipboardManager", "addPrimaryClipChangedListener", "", "", new String[0], ©, C17260jk.LIZ("clipboard"))); 
LIZIZ.append(101802, new a(101802, "android.content.ClipboardManager", "removePrimaryClipChangedListener", "", "", "", new String[0], 9, C1726@jk.LIZ("clipboard"))); 
LIZIZ.append(101803, new a(101803, "“android.content.ClipboardManager", "getPrimaryClip", "", "", "", new String[01, ©, C17260jk.LIZ("clipboard"))); 
LIZIZ.append(101804, new a(101804, "android.content.ClipboardManager", "getText", "", ws » new String[0], 0, c172603k. LIZ("clipboard") )); 

LIZIZ.append(101805, new a(101805, "android.content.ClipboardManager", "hasPrimaryClip", uu, "", new String[0], ©, C17260jk.LIZ("clipboard"))); 
LIZIZ.append(101806, new a(101806, "android.content.ClipboardManager", "hasText", "", "" » New String[0], ©, C17260jk.LIZ("clipboard"))); 

LIZIZ.append(101807, new a(101807, "android.content.ClipboardManager", "“setPrimaryClip", "", "", "", new String[0], ©, C17260jk.LIZ("clipboard"))); 
LIZIZ.append(101808, new a(101808, "android.content.ClipboardManager", "setText", "", "", "", new String[0], ©, C17260jk.LIZ("clipboard"))); 

LIZIZ.append(101809, new a(101809, "android.content.ClipboardManager", "getPrimaryClipDescription", aif te ee | String[@], e, Las PEAS lath 


LIZIZ.append(102002, new a(102002, “android.os.Build", "SERIAL", "", "", "", new String[@], 0, C17260jk.LIZ("device_info"))); 

LIZIZ.append(102003, new a(102003, "android.provider.Settings$System", "getString", "", "", "", new String[@], 0, C17260jk.LIZ("device_info"))); 

LIZIZ.append(102004, new a(102004, "android.provider.Settings$Secure", "getString", "", "", "", new String[@], ©, C17260jk.LIZ("device_info"))); 

LIZIZ.append(102005, new a(102005, "android.telephony.SubscriptionManager", "getActiveSubscriptionInfo", "", "", "", new String[]{"android.permission.READ_PHONE_STATE"}, ©, C278311x.LIZIZ("network", "“device_info")))3; 
LIZIZ.append(102006, new a(102006, “android.telephony.SubscriptionManager", "getActiveSubscriptionInfoCount", "", "", "", new String[]{"android.permission.READ_PHONE_STATE"}, ©, C1726Qjk.LIZ("network"))); 
LIZIZ.append(102007, new a(102007, "android.telephony.SubscriptionManager", "getActiveSubscriptionInfoForSimSlotIndex", "", "", "", new String[]{"android.permission.READ_PHONE_STATE"}, ©, C17260jk.LIZ("network"))); 
LIZIZ.append(102008, new a(102008, "android.telephony.SubscriptionManager", "getActiveSubscriptionInfoList", "", ", "", new String[]{"android.permission.READ_PHONE_STATE"}, @, C278311x.LIZIZ("network", "device_info"))); 


Figure 12: TikTok Data harvest image. 
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Of note: Joe’s Sandbox rated the Android application as malicious for Spyware and Evader 
categories as seen in Figure 13 because of device and user data collection by the application and 
evasive techniques the application uses to block any type of analysis. Many applications have 
anti-sandbox run commands now to inhibit automatic analysis, the sandbox identifies these and 
categories it in the evader category. 
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Figure 13. TikTok rating as per Joe’s sandbox (https://www.joesandbox.com/). 


IOS connects to mainland China 


TikTok are specific in their statement that TikTok user data is stored in Singapore and the US. 
However, we found many subdomains in the IOS application resolving all around the world 
including: Sydney, Adelaide and Melbourne (Australia); New York City, Las Vegas, San Francisco, 
San Jose, Monrovia, Cambridge, Kansas City, Dallas, Mountain View (USA); Utama and Jakarta 
(Indonesia), Kuala Lumpur (Malaysia), Paris (France), Singapore (Singapore) and Baishan 
(China). During analysis we could not determine with high confidence the purpose for the China 
Server connection or where user data is stored. The China server connection is run by st" AL 
BEAK (A be 2 =] Guizhou Baishan Cloud Technology Co., Ltd a cloud and cyber security 
company. The subdomain connected to the “China server connection” resolved in multiple 
locations around the world including in China. The IP address resolving to China regularly 
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changed locations, however, connectivity to Baishan Guangxi China was visible across a number 
of different IP addresses over time. This was confirmed through the use of a number of security 
products and methods, including virus total, Metasploit, security trails and sandboxing. 
Interestingly, this company has been rated a top 100 Chinese cyber security company and in 
2021 established a joint big data laboratory with Guizhou University.* Of note only the IOS 
version had this mainland direct server connection. We could not find any direct server 
connections with mainland China in the Android version of the application. 


Conclusion 


For the TikTok application to function properly most of the access and device data collection is 
not required. The application can and will run successfully without any of this data being 
gathered. This leads us to believe that the only reason this information has been gathered is for 
data harvesting. It is also notable that the device only needs to ask the user for permission to 
perform each of these actions once and then follow the user’s preferences. The application 
however has a culture of persistent access or continuously asking for a decision reversal by the 
user. The hourly checking of location is also unnecessary. Finally, device mapping, external 
storage access, contacts and third-party applications data collection allows TikTok the ability to 
reimage the phone in the likeness of the original device. 


* https://baike.baidu.com/reference/23443686/44e44NXRi0exRZo-8rbRsVSmZI- 


hjxLfaZVO4j748emxXOcfv_uNtLclyLacO9EyZEBSnmwlHmEjKgerSKyJqfjRJXffvnMrZx3 fiyd7KgfZXHQTJqcQiSTTZNcY 
s12v7vcNN 


https://baike.baidu.com/reference/23443686/cc63DG_6ZWBsyHhiqR450VCvsMnuyzlROgdcmvvuXilWB48sb7 
YhfKhpeWvO0ZpsePYpHI2ZEMcS8LdZe2yWIZPp3rLCUtoQfy96e5-_uuvbQ 
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